Protecting Google Workspace with XDR

Organizations of all sizes from startups through to multinationals are moving their office applications, collaboration and email into the cloud. Google Workspace is one of the leaders in this area. Unfortunately, however, the move of these apps to the cloud has not escaped the attention of threat actors, with cyber attacks on platforms like Google Workspace increasingly becoming a problem. While security is a major area of focus for the likes of Google, additional tools are still needed to provide a holistic security solution for platforms like Google Workspace. In this post we will explore how XDR forms an important element in providing comprehensive protection for your Google Workspace.

The Cloud Threat Landscape

As organizations move their data and applications to the cloud this has the unfortunate side effect of increasing their attack surface. Gone are the days when the firewall acted as the single point of protection against threats. To make things more complicated, the fact that services like Google Workspace offer such rich functionality means that they also provide a large number of routes for attackers to compromise them, including account compromise, denial of service, API vulnerabilities, email attacks (such as phishing), security misconfigurations and insider threats.

Google Workspace Targeted by Threat Actors

While Google is a leader in the security space, unfortunately, no application or platform is invulnerable, and users do still need to be aware of the potential routes that threat actors may take to attack Google Workspace. The rich functionality of Workspace together with its ubiquity provide a wide range of approaches which cybercriminals can take:

• Accessibility from anywhere means attackers can access it from anywhere. In the same way that your users benefit from being able to access cloud resources from any location, attackers can too. This means you need to have means to detect access from unusual locations or countries.
• Credential theft is and probably will always be a favorite route of attack. In 2021, 60% of breaches were related to stolen credentials or phishing. This underscores the importance of using multi-factor authentication for your Google accounts.
• Email attacks continue to become more and more sophisticated and deceptive. One example that specifically targets Google Docs is an account takeover worm which deceives users into giving a malicious third party app access to their Google Workspace account.
• The amount of data that is stored in Google Workspace eventually leads to lack of visibility, because it becomes hard to keep track of exactly what you have shared externally. As a result you may either inadvertently share data which should not be, or documents may be shared longer than they should be.
• As with all cloud services, misconfiguration of Google Workspace is a significant area of risk. It is estimated that at least 10000 organizations are leaking data in this way.
• The ability to store unstructured data in Workspace creates flexibility. However, because there are so many different types of data that you can store in Workspace, this makes it hard to track what information you actually have in your cloud environment. This means there is always a risk of sensitive data being exposed.
• Insider threats. There does always remain a risk that your own users could become a threat by leaking your data.
• Flexibility creates a risk of accidental data leakage. Users may accidentally share sensitive data, or store it in a way that is not sufficiently protected. They could, for instance, accidentally store data in a folder that is shared externally. Google provides rich functionality to implement Data Loss Prevention. The big challenge with implementing DLP is however knowing whether the rules you have created are effective and if any gaps exist.
• Google provides effectively limitless functionality through third party applications, which can be installed via its marketplace. While most are business-grade with strong security, there is a slight risk that a third party app may introduce a vulnerability and result in your account being breached. You should regularly audit 3rd party access, and monitor for anomalies in how your data is accessed.

Even if you are cautious, and follow a rigorous approach in implementing security controls, there always remains a degree of risk. The impact of a breach could be considerable, extending beyond purely financial loss to reputational damage, loss of customers and legal consequences. In fact, 60% of small businesses are likely to fail within 6 months of a breach.

While Google does have a rich set of security controls available, the complexity of the solution leaves customers in a position where they lack visibility. With the comprehensive audit logging available across all of the components of Workspace, the volume of these logs creates a situation where you need additional tools to help you focus on the important details. As with most audit logs, the ones provided by Google include a lot of innocuous events which you need to filter out in order to focus on the ones which identify security concerns. In addition, you need a way to integrate alerting from Google Workspace with the alerts coming from your other security tools and controls.

Creating Full Visibility

As you strive for full visibility, staff responsible for managing security operations can easily be overwhelmed by the volume of security alerts generated by your technology estate. To manage this, you need a “single pane of glass” where you can surface alerts from all of your technology assets, covering both on premises and cloud. This single pane of glass needs to triage alerts across your entire infrastructure, presenting you with a prioritized view, which allows you to focus on the most important alerts first while also suppressing false positives. This is where the detailed logging provided by Workspace and the analytical capabilities of XDR form a perfect marriage. XDR can ingest and analyze logs from Workspace and provide visibility in a single view together with all of your organization’s security alerting from other cloud and on-premises infrastructure.

While Google retains logs for 6 months, Samurai XDR allows you to store logs and alerts for longer periods of time, typically for a year. When combined with the rich query capability provided by XDR this provides you with the ability to perform threat hunts which allow you to scan past events for activity such as data exfiltration, which might otherwise have gone undetected.

To help you gain a more comprehensive level of protection, Samurai XDR is pleased to announce the availability of integration to Google Workspace. To see how this can enhance the security of your Google Workspace, sign up for our 30 day free trial now.